Session Persistence (Sticky Sessions)

Before cookies dominated the web, before sophisticated HTTP parsing became commonplace, there was a simpler approach to session persistence: use the client's IP address as the identifier.

The logic seems elegant: every TCP connection has a source IP address. If we consistently route all requests from the same IP to the same backend server, we achieve session affinity without any application-layer involvement. No cookies to manage, no HTTP headers to parse, no client cooperation required.

This simplicity made IP-based persistence the go-to solution for early load balancers and Layer 4 routing. It remains widely available today (often called 'source IP affinity,' 'IP hash,' or 'client IP persistence').

But here's the uncomfortable truth: IP-based persistence is fundamentally broken in the modern internet.

Not 'sometimes problematic.' Not 'edge-case limited.' Fundamentally broken for most real-world scenarios. This page explains why—while also identifying the narrow situations where IP-based persistence still makes sense.

IP-based persistence operates at the network layer, making routing decisions based on the source IP address of incoming connections. Here's the fundamental algorithm:

Basic Hash Algorithm:

server_index = hash(source_ip_address) % number_of_servers

The load balancer:

1. Extracts source IP from incoming packet
2. Applies a hash function to the IP
3. Maps the hash result to a server index
4. Routes all future requests from that IP to the same server

Two Implementation Approaches:

Consistent Hashing Variant:

Modern implementations often use consistent hashing to minimize disruption when servers are added or removed:

• Traditional hash: Adding a server changes ~(1/n) × (n-1/n) ≈ 100% of mappings
• Consistent hash: Adding a server changes only ~1/n of mappings

With 10 servers, removing one server with traditional hashing shuffles approximately 90% of clients. With consistent hashing, it's approximately 10%—a dramatic improvement for operational stability.

The fundamental assumption of IP-based persistence is that each user has a unique, stable IP address. This assumption is catastrophically wrong in the modern internet.

Network Address Translation (NAT):

NAT allows multiple devices to share a single public IP address. Originally a workaround for IPv4 address exhaustion, NAT is now ubiquitous:

• Home networks: Your household's 5-10 devices share one public IP
• Corporate networks: Thousands of employees share a handful of IPs
• Universities: Entire campuses behind NAT gateways
• Public WiFi: Coffee shop, airport, hotel—all users share IPs

The Scale of the Problem:

Carrier-Grade NAT (CGN):

IPv4 exhaustion has driven ISPs to deploy Carrier-Grade NAT (CGN), also called Large Scale NAT (LSN). Under CGN:

• Entire neighborhoods share a single public IP
• Thousands of subscribers appear as one client
• Load balancing becomes meaningless—one server gets ALL traffic

Major ISPs worldwide deploy CGN. In some developing regions, CGN is universal. Your assumption of 'one IP = one user' might be off by a factor of 10,000.

Visualization of the Problem:

NAT causes load imbalance, but mobile networks create a different problem: IP addresses that change mid-session.

Why Mobile IPs Change:

1. Cell Tower Handoffs: Moving between towers can trigger IP changes
2. WiFi-to-Cellular Transitions: Switching networks changes IP completely
3. Carrier NAT Rotation: Some carriers rotate CGN IPs periodically
4. Network Timeouts: Idle connections may get new IPs upon resumption
5. IPv6 Privacy Extensions: Mobile IPv6 often uses temporary addresses

The Session Destruction Pattern:

The Scale of Mobile Traffic:

As of 2024, mobile devices account for approximately 60% of global web traffic. In many regions, mobile-first users dominate. An architecture that breaks for mobile users is broken for the majority of your users.

WiFi Offload Complexity:

Modern smartphones aggressively offload traffic to WiFi when available:

• User starts on WiFi at home (IP: home router)
• User leaves, switches to cellular (IP: carrier NAT)
• User arrives at work, switches to corporate WiFi (IP: corporate NAT)
• User goes to lunch at café, switches to café WiFi (IP: café router)

That's potentially four different IP addresses in a single morning, each potentially routing to a different server. Any session state stored on Server 1 is lost when the user hits Server 2.

Beyond NAT and mobile networks, various proxy technologies further complicate IP-based persistence:

Forward Proxies:

Organizations route traffic through forward proxies for security, filtering, or caching:

• Corporate proxy servers aggregate many users behind few IPs
• School content filters do the same
• Privacy-conscious users employ proxy services

Reverse Proxies and CDNs:

If you're behind a CDN (Cloudflare, Akamai, CloudFront), the 'source IP' your origin load balancer sees is the CDN edge server—not the actual client:

Client (IP: 203.0.113.50) → CDN Edge (IP: 198.51.100.1) → Your Load Balancer

Your load balancer sees 198.51.100.1 for millions of different users. All CDN traffic from that edge server gets routed to the same backend.

VPN Services:

VPN usage has exploded for privacy, remote work, and geo-circumvention:

• All users of a popular VPN exit node share that IP
• Users may switch between VPN servers
• Corporate VPNs concentrate enterprise traffic

The X-Forwarded-For 'Solution' (and Why It's Not):

Some suggest using X-Forwarded-For header instead of TCP source IP. This header (when properly set by proxies) contains the original client IP:

X-Forwarded-For: client_ip, proxy1_ip, proxy2_ip

Problems with X-Forwarded-For:

1. Trust Issues: Anyone can forge this header. You can only trust it from known, trusted proxies.
2. Layer 7 Only: Requires HTTP parsing; can't use for non-HTTP protocols.
3. Still Subject to NAT: The 'original' client IP is still behind NAT.
4. Configuration Complexity: Different proxies handle XFF differently.
5. IPv6 Complications: Mixed IPv4/IPv6 environments create inconsistencies.

After all these warnings, are there scenarios where IP-based persistence works? Yes—narrow but legitimate use cases exist:

Scenario 1: Internal Services / Service-to-Service Communication

Within a datacenter or cloud VPC, service-to-service calls have stable, unique IPs:

• Microservice A (IP: 10.0.1.50) calls Microservice B cluster
• IP persistence routes A's traffic consistently
• No NAT, no mobile networks, no proxies

Scenario 2: Known, Controlled Client Population

When you control clients and know their network topology:

• Internal enterprise applications with dedicated client IPs
• Embedded devices with static configurations
• B2B interfaces with whitelisted partner IPs

Scenario 3: Non-HTTP Protocols

For protocols without cookie/header support, IP persistence may be the only option:

• Database connection pooling
• Raw TCP streaming services
• SMTP relay servers
• Gaming servers (UDP-based)

Scenario 4: Short-Duration Affinity

When persistence only needs to last seconds, not sessions:

• Multi-packet transactions (file uploads over UDP)
• Connection establishment phases
• Burst-mode operations

If you answered 'yes' to most of these, IP persistence might work.

But if even one involves public internet users, mobile clients, or web browsers—reconsider. The edge cases will bite you eventually.

Despite its limitations, you may need to configure IP persistence for specific scenarios. Here's how across major platforms:

If you're using IP-based persistence, monitoring is critical to detect the inevitable problems:

Key Metrics to Watch:

Troubleshooting Common Issues:

Issue 1: Severe Load Imbalance

Symptoms: One server at 90% CPU, others at 10%.

Diagnosis:

1. Check source IP distribution (are many requests from few IPs?)
2. Look for large NAT (corporate, CGN)
3. Check if CDN is configured (all traffic from CDN IPs)

Mitigation:

• Switch to cookie-based persistence
• For CGN, consider hybrid approach with fallback load balancing
• Implement connection limiting per IP

Issue 2: Sessions Breaking for Specific Users

Symptoms: Certain users report constant session loss, others unaffected.

Diagnosis:

1. Check if affected users are mobile (IP changing)
2. Check if affected users are behind proxy/VPN
3. Verify consistent hashing is enabled (server pool changes)

Mitigation:

• Longest-term: Migrate to cookie-based persistence
• Short-term: Increase session timeout, externalize session store

Issue 3: All Traffic Going to One Server After Deployment

Symptoms: After adding/removing servers, traffic distribution radically changes.

Diagnosis:

1. Check if consistent hashing is enabled
2. Verify server pool configuration matches actual servers
3. Check for health check failures affecting routing

Mitigation:

• Enable consistent hashing (hash-type consistent in HAProxy)
• Use gradual server additions (blue-green deployment)
• Implement connection draining before removal

We've thoroughly examined IP-based persistence—its mechanics, failures, and limited appropriate uses. Let's synthesize:

What's Next:

We've now covered both major persistence mechanisms—cookies and IP-based. But sticky sessions, regardless of implementation, have fundamental drawbacks. Next, we'll examine the drawbacks of sticky sessions as an architectural pattern—load imbalance, failover complexity, and scalability constraints—setting up the case for stateless alternatives.